/src/etc/inc/priv.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/priv.inc @ 1670f4c0

1	6dc88d53	Ermal Luci	<?php
2			/*
3	ac24dc24	Renato Botelho	* priv.inc
4			*
5			* part of pfSense (https://www.pfsense.org)
6	38809d47	Renato Botelho do Couto	* Copyright (c) 2004-2013 BSD Perimeter
7			* Copyright (c) 2013-2016 Electric Sheep Fencing
8	8f2f85c3	Luiz Otavio O Souza	* Copyright (c) 2014-2022 Rubicon Communications, LLC (Netgate)
9	c5d81585	Renato Botelho	* Copyright (c) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
10			* Copyright (c) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
11			* Copyright (c) 2008 Shrew Soft Inc
12			* Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>.
13	ac24dc24	Renato Botelho	* All rights reserved.
14			*
15	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
16			* you may not use this file except in compliance with the License.
17			* You may obtain a copy of the License at
18	ac24dc24	Renato Botelho	*
19	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
20	ac24dc24	Renato Botelho	*
21	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
22			* distributed under the License is distributed on an "AS IS" BASIS,
23			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
24			* See the License for the specific language governing permissions and
25			* limitations under the License.
26	ac24dc24	Renato Botelho	*/
27	6dc88d53	Ermal Luci
28	6306b5dd	Ermal Lu?i	require_once("priv.defs.inc");
29	ddd54e83	PiBa-NL	require_once("auth_func.inc");
30	6306b5dd	Ermal Lu?i
31	2816a089	sullrich	/* Load and process custom privs. */
32	f5bdff7f	sullrich	function get_priv_files($directory) {
33	dd415d52	sullrich	$dir_array = array();
34	b37a2e8c	Phil Davis	if (!is_dir($directory)) {
35	dd415d52	sullrich	return;
36	b37a2e8c	Phil Davis	}
37	dd415d52	sullrich	if ($dh = opendir($directory)) {
38			while (($file = readdir($dh)) !== false) {
39			$canadd = 0;
40	b37a2e8c	Phil Davis	if ($file == ".") {
41	dd415d52	sullrich	$canadd = 1;
42	b37a2e8c	Phil Davis	}
43			if ($file == "..") {
44	dd415d52	sullrich	$canadd = 1;
45	b37a2e8c	Phil Davis	}
46			if ($canadd == 0) {
47	dd415d52	sullrich	array_push($dir_array, $file);
48	b37a2e8c	Phil Davis	}
49	dd415d52	sullrich	}
50			closedir($dh);
51			}
52	b37a2e8c	Phil Davis	if (!is_array($dir_array)) {
53	dd415d52	sullrich	return;
54	b37a2e8c	Phil Davis	}
55	f5bdff7f	sullrich	return $dir_array;
56	dd415d52	sullrich	}
57	0b013ef0	sullrich
58	dd415d52	sullrich	// Load and sort privs
59	f5bdff7f	sullrich	$dir_array = get_priv_files("/etc/inc/priv");
60	b37a2e8c	Phil Davis	foreach ($dir_array as $file) {
61	9bec85af	Renato Botelho	if (!is_dir("/etc/inc/priv/{$file}") && substr($file, -4) == ".inc") {
62	86573bb9	Phil Davis	include_once("/etc/inc/priv/{$file}");
63	b37a2e8c	Phil Davis	}
64			}
65			if (is_dir("/usr/local/pkg/priv")) {
66	f5bdff7f	sullrich	$dir_array = get_priv_files("/usr/local/pkg/priv");
67	b37a2e8c	Phil Davis	foreach ($dir_array as $file) {
68	9bec85af	Renato Botelho	if (!is_dir("/usr/local/pkg/priv/{$file}") &&
69			substr($file, -4) == ".inc") {
70	86573bb9	Phil Davis	include_once("/usr/local/pkg/priv/{$file}");
71	b37a2e8c	Phil Davis	}
72			}
73	f5bdff7f	sullrich	}
74
75	b37a2e8c	Phil Davis	if (is_array($priv_list)) {
76	f5bdff7f	sullrich	sort_privs($priv_list);
77	b37a2e8c	Phil Davis	}
78	6dc88d53	Ermal Luci
79			function cmp_privkeys($a, $b) {
80			/* user privs at the top */
81			$auser = strncmp("user-", $a, 5);
82			$buser = strncmp("user-", $b, 5);
83	b37a2e8c	Phil Davis	if ($auser != $buser) {
84	84d86f07	jim-p	return $auser - $buser;
85	b37a2e8c	Phil Davis	}
86	6dc88d53	Ermal Luci
87			/* name compare others */
88			return strcasecmp($a, $b);
89			}
90
91			function sort_privs(& $privs) {
92			uksort($privs, "cmp_privkeys");
93			}
94
95			function map_page_privname($page) {
96			global $priv_list;
97
98			foreach ($priv_list as $pname => $pdata) {
99	b37a2e8c	Phil Davis	if (strncmp($pname, "page-", 5)) {
100	6dc88d53	Ermal Luci	continue;
101	b37a2e8c	Phil Davis	}
102	6dc88d53	Ermal Luci	$fullwc = false;
103	086cf944	Phil Davis	if (!strcasecmp($page, "any")\|\|!strcmp($page, "*")) {
104	6dc88d53	Ermal Luci	$fullwc = true;
105	b37a2e8c	Phil Davis	}
106			if (cmp_page_matches($page, $pdata['match'], $fullwc)) {
107	6dc88d53	Ermal Luci	return $pname;
108	b37a2e8c	Phil Davis	}
109	6dc88d53	Ermal Luci	}
110
111			return false;
112			}
113
114			function get_user_privdesc(& $user) {
115			global $priv_list;
116
117			$privs = array();
118
119			$user_privs = $user['priv'];
120	b37a2e8c	Phil Davis	if (!is_array($user_privs)) {
121	6dc88d53	Ermal Luci	$user_privs = array();
122	b37a2e8c	Phil Davis	}
123	6dc88d53	Ermal Luci
124			$names = local_user_get_groups($user, true);
125
126			foreach ($names as $name) {
127			$group = getGroupEntry($name);
128			$group_privs = $group['priv'];
129	b37a2e8c	Phil Davis	if (!is_array($group_privs)) {
130	6dc88d53	Ermal Luci	continue;
131	b37a2e8c	Phil Davis	}
132	6dc88d53	Ermal Luci	foreach ($group_privs as $pname) {
133	086cf944	Phil Davis	if (in_array($pname, $user_privs)) {
134	6dc88d53	Ermal Luci	continue;
135	b37a2e8c	Phil Davis	}
136			if (!$priv_list[$pname]) {
137	6dc88d53	Ermal Luci	continue;
138	b37a2e8c	Phil Davis	}
139	6dc88d53	Ermal Luci	$priv = $priv_list[$pname];
140			$priv['group'] = $group['name'];
141			$privs[] = $priv;
142			}
143			}
144
145	b37a2e8c	Phil Davis	foreach ($user_privs as $pname) {
146			if ($priv_list[$pname]) {
147	6dc88d53	Ermal Luci	$privs[] = $priv_list[$pname];
148	b37a2e8c	Phil Davis	}
149			}
150	6dc88d53	Ermal Luci
151			return $privs;
152			}
153
154	fce3edc0	Phil Davis	function isAdminUID($username) {
155	6dc88d53	Ermal Luci	global $_SESSION;
156
157	b37a2e8c	Phil Davis	if (!isset($username)) {
158	dff909d8	sullrich	return false;
159	b37a2e8c	Phil Davis	}
160	dff909d8	sullrich
161			/* admin/root access check */
162			$user = getUserEntry($username);
163	b37a2e8c	Phil Davis	if (isset($user)) {
164			if (isset($user['uid'])) {
165	086cf944	Phil Davis	if ($user['uid'] == 0) {
166	dff909d8	sullrich	return true;
167	b37a2e8c	Phil Davis	}
168			}
169			}
170	dff909d8	sullrich
171	fce3edc0	Phil Davis	return false;
172			}
173
174			function isAllowed($username, $page) {
175			global $_SESSION;
176
177			if (!isset($username)) {
178			return false;
179			}
180
181			if (isAdminUID($username)) {
182			return true;
183			}
184
185	e30050b6	Phil Davis	/* user privilege access check */
186	b37a2e8c	Phil Davis	if (cmp_page_matches($page, $_SESSION['page-match'])) {
187	dff909d8	sullrich	return true;
188	b37a2e8c	Phil Davis	}
189	dff909d8	sullrich
190			return false;
191			}
192
193			function isAllowedPage($page) {
194			global $_SESSION;
195
196
197			$username = $_SESSION['Username'];
198	953ab2d4	sullrich
199	b37a2e8c	Phil Davis	if (!isset($username)) {
200	6dc88d53	Ermal Luci	return false;
201	b37a2e8c	Phil Davis	}
202	6dc88d53	Ermal Luci
203	fce3edc0	Phil Davis	if (isAdminUID($username)) {
204			return true;
205	b37a2e8c	Phil Davis	}
206	6dc88d53	Ermal Luci
207	e30050b6	Phil Davis	/* user privilege access check */
208	14f5f705	marcelloc	return cmp_page_matches($page, $_SESSION['page-match']);
209	6dc88d53	Ermal Luci	}
210
211			function getPrivPages(& $entry, & $allowed_pages) {
212			global $priv_list;
213
214	b37a2e8c	Phil Davis	if (!is_array($entry['priv'])) {
215	6dc88d53	Ermal Luci	return;
216	b37a2e8c	Phil Davis	}
217	6dc88d53	Ermal Luci
218			foreach ($entry['priv'] as $pname) {
219	c6c398c6	jim-p	if (strncmp($pname, "page-", 5) \|\|
220			!is_array($priv_list[$pname]) \|\|
221			!is_array($priv_list[$pname]['match'])) {
222	6dc88d53	Ermal Luci	continue;
223	b37a2e8c	Phil Davis	}
224	c6c398c6	jim-p	foreach ($priv_list[$pname]['match'] as $match) {
225	6dc88d53	Ermal Luci	$allowed_pages[] = $match;
226	b37a2e8c	Phil Davis	}
227	6dc88d53	Ermal Luci	}
228			}
229
230	c4a9f99a	jim-p	function getAllowedPages($username, &$attributes = array()) {
231	6dc88d53	Ermal Luci	global $config, $_SESSION;
232
233	b37a2e8c	Phil Davis	if (!function_exists("ldap_connect")) {
234	6dc88d53	Ermal Luci	return;
235	b37a2e8c	Phil Davis	}
236
237	6dc88d53	Ermal Luci	$allowed_pages = array();
238	4de15854	jim-p	$allowed_groups = array();
239	b37a2e8c	Phil Davis
240	82cd6022	PiBa-NL	phpsession_begin();
241	b77a6394	PiBa-NL	if ($_SESSION['remoteauth']) {
242			$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
243	bbb28670	scherma	// cache auth results for a short time to ease load on auth services & logs
244	280f0009	scherma	if (isset($config['system']['webgui']['auth_refresh_time'])) {
245	1e45d13f	Christian McDonald	$recheck_time = config_get_path('system/webgui/auth_refresh_time');
246	280f0009	scherma	} else {
247			$recheck_time = 30;
248			}
249	b77a6394	PiBa-NL	// obtain ldap groups if we are in ldap mode
250			if ($authcfg['type'] == "ldap") {
251	0fafb3cd	Phil Davis	if (isset($_SESSION["ldap_allowed_groups"]) &&
252			(time() <= $_SESSION["auth_check_time"] + $recheck_time)) {
253	bbb28670	scherma	$allowed_groups = $_SESSION["ldap_allowed_groups"];
254			} else {
255			$allowed_groups = @ldap_get_groups($username, $authcfg);
256			$_SESSION["ldap_allowed_groups"] = $allowed_groups;
257			$_SESSION["auth_check_time"] = time();
258			}
259	b77a6394	PiBa-NL	} elseif ($authcfg['type'] == "radius") {
260	0fafb3cd	Phil Davis	if (isset($_SESSION["radius_allowed_groups"]) &&
261			(time() <= $_SESSION["auth_check_time"] + $recheck_time)) {
262	bbb28670	scherma	$allowed_groups = $_SESSION["radius_allowed_groups"];
263			} else {
264			$allowed_groups = @radius_get_groups($attributes);
265			$_SESSION["radius_allowed_groups"] = $allowed_groups;
266			$_SESSION["auth_check_time"] = time();
267			}
268	b77a6394	PiBa-NL	}
269	4034876f	scherma
270	fe65bb3a	Phil Davis	}
271			if (!$allowed_groups) {
272	6306b5dd	Ermal Lu?i	// search for a local user by name
273			$local_user = getUserEntry($username);
274
275	fe65bb3a	Phil Davis	// obtain local user pages and groups if we have a local user
276	b37a2e8c	Phil Davis	if ($local_user) {
277	fe65bb3a	Phil Davis	getPrivPages($local_user, $allowed_pages);
278	6306b5dd	Ermal Lu?i	$allowed_groups = local_user_get_groups($local_user);
279	b37a2e8c	Phil Davis	}
280	6306b5dd	Ermal Lu?i	}
281	6dc88d53	Ermal Luci
282	4de15854	jim-p	if (!is_array($allowed_groups)) {
283			$allowed_groups = array('all');
284			} else {
285			$allowed_groups[] = 'all';
286			}
287
288	6dc88d53	Ermal Luci	// build a list of allowed pages
289	b37a2e8c	Phil Davis	if (is_array($config['system']['group']) && is_array($allowed_groups)) {
290			foreach ($config['system']['group'] as $group) {
291			if (in_array($group['name'], $allowed_groups)) {
292	6dc88d53	Ermal Luci	getPrivPages($group, $allowed_pages);
293	b37a2e8c	Phil Davis	}
294			}
295			}
296	6dc88d53	Ermal Luci
297			// $dbg_pages = implode(",", $allowed_pages);
298			// $dbg_groups = implode(",", $allowed_groups);
299			// log_error("debug: user {$username} groups = {$dbg_groups}");
300			// log_error("debug: user {$username} pages = {$dbg_pages}");
301
302			$_SESSION['page-match'] = $allowed_pages;
303	82cd6022	PiBa-NL	phpsession_end(true);
304	6dc88d53	Ermal Luci	return $allowed_pages;
305			}
306
307	3f109700	jim-p	function sort_user_privs($privs) {
308			// Privileges to place first, to redirect properly.
309	5d916fc7	Stephen Beaver	$priority_privs = array("page-dashboard-all", "page-system-login-logout");
310	3f109700	jim-p
311			$fprivs = array_intersect($privs, $priority_privs);
312	6c07db48	Phil Davis	$sprivs = array_diff($privs, $priority_privs);
313	3f109700	jim-p
314			return array_merge($fprivs, $sprivs);
315			}
316	fe65bb3a	Phil Davis	?>

Project

General

Profile

pfSense